The MyCloud NAS device can be configured to automatically redirect to HTTPS when browsing it’s web interface. The URL it is redirecting to is of the form https://device-local-<GUID>.remotewd.com:8543/. I was wondering if I can use my own certificate, and it actually worked out after digging a bit into the inner workings.
First of all, I checked which tool is listening on port 8543. The name is nasAdmin:
root@WDMyCloudEX2100 ~ # netstat -tulpen | grep 8543
tcp6 0 0 :::8543 :::* LISTEN 0 16738 4455/nasAdmin
It’s started with a configuration located at /etc/nasAdmin.toml:
root@WDMyCloudEX2100 ~ # ps aux | grep [n]asAdmin
4455 root 789m S nasAdmin -configPath /etc/nasAdmin.toml
root@WDMyCloudEX2100 ~ # cat /etc/nasAdmin.toml
[ports]
httpPort = 80
httpsPort = 8543
proxyPort = 8000
sdkClientPort = 8001
[timeouts]
accessTokenTimeoutSec = 300
refreshTokenTimeoutMin = 15
httpTimeoutSec = 180
maxSessionTimeoutSec = 7200
[logging]
stackTrace = false
debugLogging = false
[tls]
enabled = true
logoutWaitSec = 600
restartDelaySec = 172800
certDirectory = "/mnt/HD/HD_a2/restsdk-info/data/crypto2/prod/"
cacheDirectory = "/usr/local/config/certCache"
certWatchRetrySec = 600
[rate_limiters]
[rate_limiters.auth]
requests = 20
seconds = 60
prefix = "auth"
[rate_limiters.gen]
requests = 4000
seconds = 600
prefix = "gen"
[rate_limiters.base]
requests = 2000
seconds = 600
prefix = "base"
The configuration contains the certDirectory option which shows the location of the used TLS certificate:
root@WDMyCloudEX2100 ~ # ls -1 /mnt/HD/HD_a2/restsdk-info/data/crypto2/prod/
device-<GUID>.remotewd.com
device-local-<GUID>.remotewd.com
The file with local in its name is obviously the one we’re looking for, as it matches the URL we’re redirected to. I don’t know what the other one is used for, but I guess it may be related to the Remote Dashboard Access that can be configured below the HTTPS Redirect on the web interface.
The device-local-<GUID>.remotewd.com file contains two certificates (intermediate and leaf), as well as the key for the leaf certificate. I wrote a script (extract.sh) that extracts the files:
#/bin/bash
count=1
while IFS= read -r line || [ -n "$line" ]; do
echo $line \
| sed 's/-/+/g' \
| sed 's/_/\//g' \
| awk -F'.' '{l=length($1)+2; print substr($1"==",1,l-l%4)}' \
| awk '{print"-----BEGIN CERTIFICATE-----\n"$1"\n-----END CERTIFICATE-----"}' \
| openssl x509 -inform pem -out cert$count.pem 2>/dev/null \
|| echo $line \
| sed 's/-/+/g' \
| sed 's/_/\//g' \
| awk -F'.' '{l=length($1)+2; print substr($1"==",1,l-l%4)}' \
| awk '{print"-----BEGIN PRIVATE KEY-----\n"$1"\n-----END PRIVATE KEY-----"}' \
| openssl rsa -out key.pem 2>/dev/null
(( count++ ))
done < $1
After extracting the certificates, we can look at some of its information:
$ ./extract.sh device-local-<GUID>.remotewd.com
$ ls -1 *.pem
cert1.pem
cert2.pem
key.pem
]$ for cert in cert*.pem; do openssl x509 -noout -issuer -subject -fingerprint -in $cert; done
issuer=C=US, O=Let's Encrypt, CN=R3
subject=CN=device-local-<GUID>.remotewd.com
SHA1 Fingerprint=86:55:19:F6:38:0C:BE:E5:83:29:9C:66:C6:69:E3:A9:3F:45:D3:D4
issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1
subject=C=US, O=Let's Encrypt, CN=R3
SHA1 Fingerprint=A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
We can also confirm that the key matches the certificate of device-local-<GUID>.remotewd.com:
$ diff -qs <(openssl x509 -modulus -noout -in cert1.pem) <(openssl rsa -modulus -noout -in key.pem)
Files /dev/fd/63 and /dev/fd/62 are identical
$ diff -qs <(openssl x509 -modulus -noout -in cert2.pem) <(openssl rsa -modulus -noout -in key.pem)
Files /dev/fd/63 and /dev/fd/62 differ
As a last verification step before creating our own certificate file, we verify that this is indeed the certificate provided by the NAS on port 8543 using openssl’s s_client:
$ dig +short device-local-<GUID>.remotewd.com
192.168.1.10
$ openssl s_client -showcerts -connect 192.168.1.10:8543 2>&1 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="sclient_cert"a".pem"; print >out}'
$ for cert in sclient_cert*.pem; do openssl x509 -noout -issuer -subject -fingerprint -in $cert; done
issuer=C=US, O=Let's Encrypt, CN=R3
subject=CN=device-local-<GUID>.remotewd.com
SHA1 Fingerprint=86:55:19:F6:38:0C:BE:E5:83:29:9C:66:C6:69:E3:A9:3F:45:D3:D4
issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1
subject=C=US, O=Let's Encrypt, CN=R3
SHA1 Fingerprint=A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
With that said, we can go on and create our own custom certificate. Given that the certificates and the key are within PEM files, it’s as easy as:
cat tls_cert.pem \
| grep -v CERTIFICATE \
| tr "\n" "|" \
| sed 's/||\+/\n/g' \
| tr -d "|" \
| sed 's/+/-/g' \
| sed 's/\//_/g' \
| tr -d "=" > mycert
echo -e >> mycert
cat tls_key.pem \
| grep -v PRIVATE \
| tr -d "\n" \
| sed 's/+/-/g' \
| sed 's/\//_/g' >> mycert
Now we transfer our certificate over, backup the actual certificate file, overwrite it and restart the nasAdmin tool:
$ scp mycert sshd@192.168.1.10:/mnt/HD/HD_a2/restsdk-info/data/crypto2/prod/
$ cp device-local-<GUID>.remotewd.com device-local-<GUID>.remotewd.com.bak
$ cp mycert device-local-<GUID>.remotewd.com
$ nasAdmin.sh restart